Sponsored Ads

The Web Security Mailing List

David "I like to beat up on oracle" Litchfield has published a new paper outlining how DBMS_ASSERT can be misused in such a way that SQL Injection is possible.

From the whitepaper

"The DBMS_ASSERT builtin package can be used by PL/SQL developers to protectagainst SQL injection attacks[1]. In [2] Alex Kornbrust showed that there are certaincases where the use of the DBMS_ASSERT.QUALIFIED_SQL_NAME function can beunintentionally misused by developers in such a way that SQL injection is still possible.Alex's attack showed a way to break out of a quoted string to inject arbitrary SQL. Thispaper discusses another scenario where using the same function can still allow an attackerto inject arbitrary SQL. The problem arises when the QUALIFIED_SQL_NAMEfunction is used to validate a column name in a select list or where clause for example.Multiple instances of this scenario have been found and reported to Oracle."